Information About SSH and Telnet

SSH Server

You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.

The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored usernames and passwords.

SSH Client

The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.

The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.

SSH Server Keys

SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server keys for the following SSH options:

Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts two types of key-pairs for use by SSH version 2:

•The dsa option generates the DSA key-pair for the SSH version 2 protocol.

•The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, the Cisco NX-OS software generates an RSA key using 1024 bits.

SSH supports the following public key formats:

•OpenSSH

•IETF Secure Shell (SECSH)

Caution If you delete all of the SSH keys, you cannot start the SSH services.

SSH Authentication Using Digital Certificates

SSH authentication on NX-OS devices provides X.509 digital certificate support for host authentication. An X.509 digital certificate is a data item that ensures the origin and integrity of a message. It contains encryption keys for secured communications and is "signed" by a trusted certification authority (CA) to verify the identity of the presenter. The X.509 digital certificate support provides either DSA or RSA algorithms for authentication.

The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and is returned by the security infrastructure, either through query or notification. Verification of certificates is successful if the certificates are from any of the trusted CAs.

You can configure your device for either SSH authentication using an X.509 certificate or SSH authentication using a Public Key Certificate, but not both. If either of them is configured and the authentication fails, you are prompted for a password.

Telnet Server

The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.

The Telnet server is disabled by default on the NX-OS device.

Virtualization Support

SSH and Telnet configuration and operation are local to the virtual device context (VDC). For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide, Release 4.1.

Licensing Requirements for SSH and Telnet

The following table shows the licensing requirements for this feature:

Product

License Requirement

NX-OS

SSH and Telnet require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the NX-OS licensing scheme, see theCisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.1.

Prerequisites for SSH

SSH and Telnet have the following prerequisites:

•You have configured IP on a Layer 3 interface, out-of-band on the mgmt 0 interface, or inband on an Ethernet interface.

Guidelines and Limitations

SSH and Telnet have the following configuration guidelines and limitations:

•The Cisco NX-OS software supports only SSH version 2 (SSHv2).

•You can configure your device for either SSH authentication using an X.509 certificate or SSH authentication using a Public Key Certificate, but not both. If either of them is configured and the authentication fails, you are prompted for a password.

BEFORE YOU BEGIN

Obtain the hostname for the remote device and, if needed, the username on the remote device.

Enable the SSH server on the remote device.

SUMMARY STEPS

1. ssh [username@]{hostname | username@hostname} [vrf vrf-name]

ssh6 [username@]{hostname | username@hostname} [vrf vrf-name]

DETAILED STEPS

Command

Purpose

Step 1

ssh [username@]{ipv4-address | hostname} [vrf vrf-name]

Example:

switch# ssh 10.10.1.1

Creates an SSH IPv4 session to a remote device using IPv4. The default VRF is the default VRF.

ssh6 [username@]{ipv6-address | hostname} [vrf vrf-name]

Example:

switch# ssh6 HostA

Creates an SSH IPv6 session to a remote device using IPv6.

Clearing SSH Hosts

When you download a file from a server using SCP or SFTP, or when you start an SSH session from this device to a remote host, you establish a trusted SSH relationship with that server. You can clear the list of trusted SSH servers for your user account.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. clear ssh hosts

DETAILED STEPS

Command

Purpose

Step 1

clear ssh hosts

Example:

switch# clear ssh hosts

Clears the SSH host sessions.

Disabling the SSH Server

By default, the SSH server is enabled on the NX-OS device. You can disable the SSH server to prevent SSH access to the switch.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. config t

2. no feature ssh

3. exit

4. show ssh server

5. copy running-config startup-config

DETAILED STEPS

Command

Purpose

Step 1

config t

Example:

switch# config t

switch(config)#

Enters global configuration mode.

Step 2

no feature ssh

Example:

switch(config)# no feature ssh

Disables the SSH server. The default is enabled.

Step 3

exit

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 4

show ssh server

Example:

switch# show ssh server

(Optional) Displays the SSH server configuration.

Step 5

copy running-config startup-config

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.